Sponsor's article > Is risk management dangerous?

Risk management has experienced a remarkable surge in significance in the past 15 years. Driven by the huge losses experienced from the mid-1980s to the mid-1990s, resources and staff devoted to risk management have increased sharply, as has the level of technical skills among its practitioners. Chief risk officer has become a common title in the financial sector, and an increasing share of those with that title now report to the chief executive officer or the management committee rather than to the chief financial officer or chief operating officer.

Risk management always exists in tension with line managers’ desire to run their own units unmolested, which engenders the predictable volume of grumpy complaints. In addition, the field’s increased public visibility has inevitably engendered what my Aussie friends call ‘cutting down the tall poppy’. While criticism of this type can be safely dismissed, a more recent and more thoughtful critique is worthy of serious attention and debate.

The risk management of everything

In 2004, Michael Power wrote an essay entitled The risk management of everything¹, in which he raised some important issues related to the ‘dark side’ of what he calls “the risk management explosion”.² Ideally, risk management should embody “significant values and ideals, not least of accountability and responsibility”.^3a But too often, he argues, the rise of risk management has been characterised by the growth of “strategies that displace valuable – but vulnerable – professional judgement in favour of defendable process”.^3b This retreat into process flows largely from pressure for what Power calls secondary risk management. Experts are increasingly being held accountable with the wisdom of hindsight for any adverse event within their domain of responsibility. The result of this is a growing preoccupation by risk managers with their personal reputation risk, which impinges on their effectiveness in controlling the risks for which they are both trained and knowledgeable. This tends to foster a dangerous flight from judgement, and a culture of defensiveness that ultimately hampers preparation for a future we cannot know.⁴

In my experience, this defensiveness extends to institutions as a whole. It is often the source of serious misallocation of risk management resources. One of the most egregious examples of this was the Y2K problem. Having been hyped in the press and elsewhere, no corporation could afford the reputation risk associated with any visible failure in this regard. Most people close to the systems in question were quite cynical about the resources being devoted to testing and certification. Generally, it was felt that modest effort would reduce any remaining issues to minor items that could safely be fixed if and as they arose. Nevertheless, the money and time devoted to remediation and testing was the best after-the-fact defence if something did go wrong. “Look, we spent £30 million. No-one can say we didn’t take the problem seriously.” In the event, of course, even areas that did not take the problem seriously had no major problems, indicating a serious waste of time and effort in most of the industrial world.

Dispelling the myth of controllability

Sadly, much of the retreat from judgement is driven by forces well beyond the control of risk managers. The legal system increasingly seeks to find ‘the culprit’ behind any mishap. Much of popular journalism follows the same knee-jerk pattern. Most recently we saw this in the coverage of the tsunami disaster in the Indian Ocean. The first instinct of the press was to ask “Why wasn’t this prevented? Why weren’t people warned? Who’s to blame here?” All this in the context of the first event of this magnitude in this part of the world in over 120 years! In such an environment, it is hardly surprising that risk managers seek to control their own personal risk.

Nevertheless, Power makes some valuable suggestions for limiting secondary risk management.^5a One is to foster an internal culture that is more learning orientated and less blame-centred. Beyond that, he calls for efforts to create “a new political and managerial discourse of uncertainty”. Such a discourse should recognise that risk management does not and cannot eliminate all risk, and it should actively counter media assumptions to that effect. Rather, risk management is intended to make the institutional selection of appropriate risks as conscious and well informed as possible. An obviously related role is to assure that this profile of selected risks is respected on the ground, where risks are actually incurred. Such a discourse would generate legitimacy for the inherent possibility of failure. It would also recognise that expert judgement is an essential ingredient of risk management and would foster a “proportionality of response to decisions which turn out in retrospect to have been wrong though honestly and reasonably made”.^5b

Allowing risk management to become synonymous with a rule-based process is to lose our way in a fundamental sense. I commend Michael Power’s essay to all who have a role in shaping the risk management framework and culture of their institutions.

¹ Power, Michael, The risk management of everything – rethinking the politics of uncertainty, Demos, 2004. The author is the PD Leake professor of accounting and a director of the ESRC centre for the analysis of risk and regulation at the London School of Economics. The full paper is available at www.demos.co.uk/catalogue/riskmanagementofeverythingcatalogue/
² Ibid, page 9
^3a&b Ibid, page 11
⁴ Ibid, page 14
^5a&b Ibid, page 62.Risk